Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2005-04-01

On Vulnerability Assessment, and Internet Reconnaissance

Today I will be discussing two completely unrelated topics, both involving very recent events.

Vulnerability AssessmentYesterday, I was privileged to have a project of mine presented as part of the SANSWhatWorks series. Bill Geimer, my boss and the manager of the contract, presented along with the other engineer involved, Brent Duckworth. The presentation was an excellent outline of some of the challenges in implementing an enterprise-class vulnerability assessment/management system from a high level, as well as highlighting how to run such a project smoothly and properly. This was certainly one of the most successful InfoSec projects I've been involved with, and I was happy to see it highlighted to a global audience. By the close of the webinar, over 800 attendees had connected. I was pleased to see so many individuals interested in our work.

The presentation is still available online. If you're interested in effectively using vulnerability assessment tools in an enterprise or business environment, I highly recommend you listen to it. I will include a much more technical entry on designing effective vulnerability assessment tools in a later entry, once my research on Component-based Design of Vulnerability Assessment Tools with CORBA is complete in a few weeks. I would also be more than happy to answer any questions regarding the project here, but the reader should understand some specific questions may reveal sensitive information and will be deferred.

Internet Reconnaissance: TCP/1025Moving on to a more serious and technical subject, one network that I monitor has seen an enormous increase in TCP/1025 scans. The network saw nearly 2.6 million requests for this service over the 24-hour period yesterday, from 10,820 unique sources, compared to just a few thousand in previous weeks. According to IANA, this port is reserved for "network blackjack," but I doubt 10,820 people suddenly got the internet gambling+hacking bug in the same day. This was mentioned yesterday in the Internet Storm Center's diary. If anyone has any helpful information on this, please contact the handlers at the ISC so this information can get compiled and analyzed quickly. This is the kind of activity that can precede (and has in the past) a huge attack that affects everyone.

No comments:

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.